Microsoft Azure discoveries

Two types of Microsoft Azure discoveries are supported:

  1. Microsoft Azure virtual network discoveries, which browse resources hosted on Azure such as virtual machines. The discovered assets are listed by address and can be saved later as agentless mode connections

  2. Microsoft Entra ID (formerly Azure AD) discoveries, which list all the devices registered in the directory, wherever they are hosted. This discovery provides a broad view of available assets. It is also possible to perform external scans on devices managed by Microsoft Intune

Both types of discovery use the same type of credentials, although the required permissions are different.

Prerequisites

Microsoft Entra ID

  • Microsoft Graph API rights with the following permissions:

    • Device.Read.All
    • DeviceManagementManagedDevices.Read.All

  • Administrator consent

Configure API accesses

To get an application client ID, you need to access the Microsoft Entra console, service Microsoft Entra ID, and create a new app registration. From its overview, you should be able to get your tenant ID and the applications’s client ID.

Once the app registration is created, you need to give it read access to your infrastructure, from the Subscriptions service, Access control (IAM) menu, Role assignments tab.

Back to the app registration, you may then create a client secret from menu Certificates & secrets.

With these 3 pieces of information, you will be able to create a Microsoft Azure credential in Cyberwatch from menu Stored credentials.

Create a Microsoft Entra ID discovery

Microsoft Entra ID discoveries require special permissions to the Microsoft Graph API. You can grant them using the Azure portal, service Microsoft Entra ID, menu App registrations, selecting your application, then in menu API permissions by clicking button Add a permission.

After granting the permissions, you need to validate them by granting admin consent, on the same page.

Back to Cyberwatch, section Assets:

  1. From Discoveries, click Add. Click Microsoft Entra ID in the Local infrastructure category
  2. Enter the name of the scan
  3. Select optional groups that will be affected to the scan
  4. Choose the source of the scan (the Cyberwatch machine that will run the operation)
  5. Using the Credentials selector, pick the Microsoft Azure account registered in previous steps
  6. Choose a recurrence. The default value 0 days means the scan will be launched only once
  7. Click Confirm

Assets are listed by display name, which is usually not enough for performing WinRM or SSH scans. However, the discovery detects assets managed by Microsoft Intune and obtains their device ID, which can be used to create Microsoft Intune agentless connections.

Creation of Microsoft Intune agentless connections requires the activation of this connections type in the Administration > Connectors management menu.

Assets can be added to Cyberwatch manually from the list of discovered assets, or by selecting an agentless mode connection credential of type Microsoft Azure in the discovery edit form.

Assets scanned through Microsoft Intune detect the Windows version and the installed applications, providing a quick and easy way to scan a set of assets without having an account on the assets. However, without the ability to run code on the assets, the scanning capabilities are limited.

Back to top